Jump to content


Photo

I need your HELP!!! - MERGED 2


  • Please log in to reply
9 replies to this topic

#1 pagassus

pagassus

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 May 2004 - 08:59 PM

i used hijackthis program to delete off all the hijacking programs from my computer..

please gimme advice on wether to delete off from this list...

Logfile of HijackThis v1.97.7
Scan saved at ?? 9:45:01, on 2004-05-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SERVICES.EXE
C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\wapitr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\VSTASCAN\vsaccess.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\system32\services\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Vc Proc Bags - {46053DCB-37EA-F550-685F-385FFF5274B0} - C:\PROGRA~1\GREYIN~1\LiesSpam.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Folder Service ] C:\Program Files\Common Files\Services\wssdtu.exe
O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe
O4 - HKLM\..\Run: [GZ9Zuhz] C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\ZgnF.exe
O4 - HKLM\..\Run: [hqlcrkz] C:\WINNT\hqlcrkz.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapitr.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0C4A9D28-66B5-4A70-B915-B6AEA5112472} (Icon02 Control) - http://www.bestcode....ivex/icon02.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.co...On/AlwaysOn.CAB
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo.../netia32_EN.cab
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol....FileControl.cab
O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall....le/livecall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E452475-E8F6-4C26-9BA1-8105CB710199} (TvOnline Control) - http://www.everyzone...fer/pcsafer.cab
O16 - DPF: {53F55D30-56CC-4258-8617-4A9F48E7F572} (NexgramAPIClass Class) - http://www.buddybudd.../cab/nexweb.cab
O16 - DPF: {5BE1D8CB-0520-4763-B44A-ECFE45AB4757} (Dmmn Class) - http://wm.daum.net:7...ctivex/dmmn.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownloa...n/myv3/myv3.cab
O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D44A} (WebCtrl Class) - http://www.peeringpo...7/FandangoV.cab
O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl415.daum.n..._fileupload.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7935.6316203704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/BM2/BM2.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F73D5D5D-04E9-44B7-A6B5-4A51482E5DF4} (ToonsXDaum Control) - http://comic.daum.ne.../ToonsXDaum.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#2 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 24 May 2004 - 11:57 AM

Hello pagassus,

First I see you have the Peper trojan:

Download Peper Fix and run the fix.

Next, yes, it is common to have to be online to uninstall some programs so go ahead and do so.

Next, Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

Next, download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Reboot the computer.

Run Hijackthis again and post a fresh log here.

#3 pagassus

pagassus

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 May 2004 - 03:08 PM

Plesae look over and tell me what to delete...: )



Logfile of HijackThis v1.97.7
Scan saved at ?? 4:05:18, on 2004-05-24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SERVICES.EXE
C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\wapitr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daum.net/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\system32\services\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Folder Service ] C:\Program Files\Common Files\Services\wssdtu.exe
O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe
O4 - HKLM\..\Run: [GZ9Zuhz] C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\ZgnF.exe
O4 - HKLM\..\Run: [hqlcrkz] C:\WINNT\hqlcrkz.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapitr.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0C4A9D28-66B5-4A70-B915-B6AEA5112472} (Icon02 Control) - http://www.bestcode....ivex/icon02.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.co...On/AlwaysOn.CAB
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo.../netia32_EN.cab
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol....FileControl.cab
O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall....le/livecall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E452475-E8F6-4C26-9BA1-8105CB710199} (TvOnline Control) - http://www.everyzone...fer/pcsafer.cab
O16 - DPF: {53F55D30-56CC-4258-8617-4A9F48E7F572} (NexgramAPIClass Class) - http://www.buddybudd.../cab/nexweb.cab
O16 - DPF: {5BE1D8CB-0520-4763-B44A-ECFE45AB4757} (Dmmn Class) - http://wm.daum.net:7...ctivex/dmmn.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownloa...n/myv3/myv3.cab
O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D44A} (WebCtrl Class) - http://www.peeringpo...7/FandangoV.cab
O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl415.daum.n..._fileupload.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7935.6316203704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/BM2/BM2.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F73D5D5D-04E9-44B7-A6B5-4A51482E5DF4} (ToonsXDaum Control) - http://comic.daum.ne.../ToonsXDaum.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#4 pagassus

pagassus

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 May 2004 - 03:09 PM

Thanks for your advice.

I did what you told me to do.

Now, here is my fresh log....


Logfile of HijackThis v1.97.7
Scan saved at ?? 4:05:18, on 2004-05-24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SERVICES.EXE
C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\wapitr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daum.net/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\system32\services\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Folder Service ] C:\Program Files\Common Files\Services\wssdtu.exe
O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe
O4 - HKLM\..\Run: [GZ9Zuhz] C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\ZgnF.exe
O4 - HKLM\..\Run: [hqlcrkz] C:\WINNT\hqlcrkz.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapitr.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0C4A9D28-66B5-4A70-B915-B6AEA5112472} (Icon02 Control) - http://www.bestcode....ivex/icon02.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.co...On/AlwaysOn.CAB
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo.../netia32_EN.cab
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol....FileControl.cab
O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall....le/livecall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E452475-E8F6-4C26-9BA1-8105CB710199} (TvOnline Control) - http://www.everyzone...fer/pcsafer.cab
O16 - DPF: {53F55D30-56CC-4258-8617-4A9F48E7F572} (NexgramAPIClass Class) - http://www.buddybudd.../cab/nexweb.cab
O16 - DPF: {5BE1D8CB-0520-4763-B44A-ECFE45AB4757} (Dmmn Class) - http://wm.daum.net:7...ctivex/dmmn.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownloa...n/myv3/myv3.cab
O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D44A} (WebCtrl Class) - http://www.peeringpo...7/FandangoV.cab
O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl415.daum.n..._fileupload.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7935.6316203704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/BM2/BM2.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F73D5D5D-04E9-44B7-A6B5-4A51482E5DF4} (ToonsXDaum Control) - http://comic.daum.ne.../ToonsXDaum.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#5 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 24 May 2004 - 03:26 PM

Hello,

Download VX2Finder from this link:
http://tools.zerosre...m/VX2Finder.exe


Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.
--------------------------------

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

-----------------
Once back in Windows


Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Next,

The Peper Trojan is still there. Run the fix again, stay online when you run the fix.

Next, delete the contents of the "temp" folder and completely delete the cache folders.

Open Internet Explorer. Then click on TOOLS in the top toolbar. Click on "Internet Options..." from the drop-down menu.
A new smaller window will display. Under the "General" tab, in the middle, are 3 buttons.
Click the Delete Cookies button - then a small warning box pops up. Click OK.
Click the Delete Files button - a small warning box pops us. Check the box for "Delete all offline content" and click OK.
Then on the same General tab, click Clear History, then click OK.

Run HJT again and check these items and then on Fix:

R3 - Default URLSearchHook is missing

F1 - win.ini: run=C:\WINNT\system32\services\services.exe

O4 - HKLM\..\Run: [Folder Service ] C:\Program Files\Common Files\Services\wssdtu.exe
O4 - HKLM\..\Run: [Enumeration Service ] C:\Program Files\Common Files\Services\wsys.exe
O4 - HKLM\..\Run: [GZ9Zuhz] C:\documents and settings\administrator\local settings\temp\GZ9Zuhz.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [hqlcrkz] C:\WINNT\hqlcrkz.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapitr.exe

O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo.../netia32_EN.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

Reboot the computer into safe mode

Make sure you can view all hidden files and folders

Find and delete these files/folders::(if you don't find them, that is ok)

C:\Program Files\Common Files\Services\wssdtu.exe
C:\Program Files\Common Files\Services\wsys.exe
C:\WINNT\system32\dp-him.exe
C:\WINNT\hqlcrkz.exe
internat.exe
C:\WINNT\system32\wapitr.exe

Edited by Taz71498, 24 May 2004 - 03:28 PM.


#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 24 May 2004 - 07:00 PM

Threads merged to here, stick to just thiis one please. Hit ADD REPLY, not NEW TOPIC.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 pagassus

pagassus

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 May 2004 - 02:20 PM

Thanks once again.

here is the log.

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\ahlui.dll


Guardian Key--- is called: GuardianULJTI
Asynchronous 000
DllName C:\WINNT\system32\ahlui.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {9100459C-B509-4CFF-B1FC-272BB1A5C46B}
IDex BM2

User Agent String---
{9100459C-B509-4CFF-B1FC-272BB1A5C46B}

#8 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 25 May 2004 - 05:05 PM

Hello again,

Could you post another Hijackthis log also please.

#9 pagassus

pagassus

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 26 May 2004 - 02:51 PM

Hi,

I got a problem from using Vx2Finder.
I selected the *Delete these files* button, but then ever since I rebooted, I'm getting these error messages from windows.

It's something like, an error occured running "wilgon.exe" and "rundll32.exe." files and need to reboot the system again.(im not exactly sure of the file names tho. but it was somewhat like that)
And the problem is, even tho i could still use the windows, i cant restart or turn off my computer using shut down key from the start menu. I have to press the button on my computer and have to shut it off....

what should i do?

#10 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 26 May 2004 - 05:40 PM

Please post a new HJT log. Those are not legit files and we will take care of those when I see your new log and see which ones to Fix.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button